Skip to content
 

Spyware Protections

FDIC has issued FIL-66-2005 to provide guidance to institutions on steps the institution should take to protect the institution from spyware attacks. Not surprisingly, the first step is to consider the threat of spyware in the institution's risk assessment. The risk assessment should include evaluation of the institution's vulnerability and the potential damage and exposure for customers.

Step two is to enhance security and internet use policies and procedures. Like many policies and procedures, those relating to spyware would need constant review and evaluation to ensure that they remain state-of-the-art.

Step three is to ensure that all staff is aware of the spyware policies and procedures. This means not only effective training but clear communication of the policies and procedures. It also means that all staff should understand how and when to report a possible issue. Understanding and observation is not enough. The system only works if essential information circulates rapidly through the organization.

Step four is to educate consumers. As a trusted resource, financial institutions are in the best position to provide consumers with information that the consumer can trust. If the advice comes from you, it is more credible than if the advice came from an anonymous source over the Internet looking a great deal like spam. The FIL even suggests that you provide consumers with information about risks in using computers other than their own. While this may seem outside of your responsibilities to the customer, you do need to consider that customers may be using a hotel system or an internet café to do their banking with you.

Customer education should also include guidelines on how the customer can know that the e-mail is from the financial institution and not from a phisher. An important protection for both the customer and your institution is to have clear protocols on how electronic communications take place and what security features they must contain.

Finally, step five involves staying on top of evolving authentication techniques. Asking for the customer's mother's maiden name does not do the trick. Asking for the customer's account number or social security number also falls short of the necessary standard. Anything that can be and is likely to be stolen should not be used for security. You should have other ways to confirm the customer's identity. And the customer should have ways to be sure they are dealing with the correct institution.

Whether motivated by Gramm-Leach-Bliley, the FACT Act, or other information security concerns, this subject is only going to get bigger. So study FIL-66-2005 and stay alert for future guidance as well.

Copyright © 2005 Compliance Action. Originally appeared in Compliance Action, Vol. 10, No. 9, 8/05

First published on 08/01/2005

Filed under: 
Compliance
Security
Filed under compliance as: 
Internet
IT
Policies
Security
Social Security
Training
Filed under security as: 
Authentication
Internet
IT
Policies
Security
Social Security
Training

Report a problem with this page

Search Topics